Human factors can influence policy choices for both domestic and international cybersecurity issues. What will be discussed in this paper is how human factors can affect four selected cybersecurity issues. The four-cybersecurity issues selected are zero-day exploits, meta-data collected and used by private and public sectors, vulnerability assessments for mobile devices in the BYOD environment, and threats to copy right and ownership of intellectual property. This paper will go into details on important security issues, recommended policy controls, and how or why human factors can influence each of the recommended policy controls for each of the four selected topics mentioned. Copyright, threats and ownership of intellectual property
Important Security Issues
With the proliferation of 3-D Printers and the availability of copyrighted materials posted online, there is an additional facet to the current debate surrounding copyright and ownership of intellectual property. Piracy of digital media such as music and videos has been a long-standing issue since the 1990’s with Napster and similar peer-to-peer file sharing programs. There are six ways that intellectual property theft harms U.S. and global consumers and economies. Online piracy harms content as well as the trademark owners through lost sales and brand recognition through increased costs to protect intellectual property instead of investing in research and development (Growth of Internet Piracy, 2011). Secondly, the consumers are harmed when they receive lower quality, inauthentic products that may cause physical harm in the case of downloading and creating a 3-D printed model (Growth of Internet Piracy, 2011).
Arguably the most prominent case against piracy, copyright infringement harms economies through lost tax revenues, higher costs of law enforcements and additional harm caused by the government’s usage of counterfeit products (Growth of Internet Piracy, 2011). This leads to the fourth issue, global economies lose their ability to partner with countries that have weaker intellectual property enforcement (Growth of Internet Piracy, 2011). Online copyright infringement reduces innovation due to the decrease of incentives to create and disseminate ideas – harming the First Amendment (Growth of Internet Piracy, 2011). Finally, supporting online piracy has been linked to supporting international crime syndicates posing a risk to U.S. national security (Growth of Internet Piracy, 2011).
Recommended Policy Controls
There is no set of policy controls that would be a one-size fits all when it comes to ownership of intellectual property concerning digital media or 3-D printing. The issue with copyright infringement concerning home 3-D printing boils down to the law. If a personal user directly prints a copyrighted 3-D model from a file-sharing site, then that user has committed a crime. The copyright owner should be compensated; a simple analogy is paying iTunes to be able to play a song from an artist. However, if the user is inspired to create a very similar model than the copyright owner is not subject to compensation because a style cannot be copyrighted (Thompson, 2013). The first 3-D DMCA’s language is indicative of that; user Artur83 was hit with the first-ever DMCA surrounding 3-D printing after creating a Penrose triangle after being inspired by Dr. Ulrich Schwantz (Rideout, 2011).
The argument was that Artur83 created an independent file after viewing a photo of the completed product – he did not modify an existing file – and that the complaint was unclear if Dr. Schwantz was trying to say the Penrose triangle, a concept published in 1958, was his intellectual property (Rideout, 2011). Ultimately, Dr. Schwantz dropped the DMCA, but it still serves as a precedence for the debate between original and similarity. If corporations are to crack down on copyright infringements, be it blatantly copying direct design or limiting creativity and inhibiting innovation, then they will need to lobby Congress to change laws. With respect to 3-D printing, however, the current laws are good enough. While the 3-D files are CAD files, categorized as pictorial, graphic, and scultptural works that can be protected by copyright, they are excluded from copyright if the file has an intrinsic utilitarian function other than portraying either appearance or conveying information (Rideout, 2011).
While each file can be independently reviewed to assess if an original file is copyrighted, it would be an arduous task that would not be fiscally responsible for a company to pursue every similar design. Additionally, current patent laws are applicable to complete and assembled products; creating replacement parts is currently legal and allowable (Thompson, 2012). If any of this is to change, then corporations will need to lobby. As for combating software piracy, a decent alternative to the growing use of software piracy is the use of open source software (OSS). Open source software completely eliminates the issue of software piracy by giving the end user free access to the software source code and the ability to install unlimited copies of the application without fear of copyright infringement.
The reasons for using open source software as an alternative to piracy are numerous. Arguably the most important reason, OSS benefits the economy by reducing the rising costs of software development, global competition, and technological diffusion (OSS-Piracy, 2009, p. 168). By using OSS, end users can access larger and community supported market shares across a wide diversity of product ranges and services. Due to lower levels of intellectual property laws in developing countries they tend to result in higher prices and limited availability (OSS-Piracy, 2009, p. 168). As it stands, the current weak laws will ultimately result in encouraging piracy. By using OSS, countries can access a rich ecosystem of different products that have growing market share and a diverse set of service and support.
How/Why Human Factors Influence Policy
The Internet has become a central actor in the world economy by delivering products and eliminating inefficient middlemen. In 2011, as much as 6 per-cent of the U.S. gross national product was generated by industries supported by intellectual property laws; nearly 24 per-cent of all Internet traffic is infringing on these intellectual properties (History of the Internet Piracy Debate, 2011). Software piracy is more rampant outside of the U.S. In countries with developing economies – third-world countries to be exact – demand for software is supplied by piracy instead of publishers due to legitimate publishers being unable to compete with counterfeit operations at cut-throat prices (Traphagan & Griffith, 1998). The issue with piracy is that it inhibits and prevents local developers from being paid for their property, stymieing growth and additional job opportunities (Traphagan & Griffith, 1998).
Human factors that affect piracy include: Knowledge and fear of consequences; access; attitude towards piracy; and social norms (Nill, Schibrowsky & Peltier, 2010). With more negative attitudes, general knowledge and fear of consequences of piracy tend to reduce piracy, with greater access to content leads to increased piracy (Nill, Schibrowsky & Peltier, 2010). While a more economically developed nation will lose more money to piracy, strong legal protection for intellectual property as well as enforcement of the laws will reduce piracy (Traphagan & Griffith, 1998). As for developed nations who cannot enforce laws as well, the culture must see that software piracy is the same as stealing a car (Traphagan & Griffith, 1998). Ultimately, regardless of socio-economic status, all people must view piracy and copyright infringement in the same light: it is stealing and harmful to the global economy.
Today, the world’s economy along with international security greatly depends on a secured Internet. Our society greatly depends on computer networks. Computer networks can be seen as the nerve system to critical infrastructures and also enterprise information systems in which our society has become increasingly dependent upon. Hackers are discovering new types of vulnerabilities in computer systems almost everyday, which could affect a nations critical infrastructure, military satellites, and more. One of the biggest threats seen today is known as the zero-day attack or exploit.
A zero-day attack according to Seltzer is “a virus or other exploit that takes advantage of a newly discovered hole in a program or operating system before the software developer has made a fix available or before they’re even aware the hole exists.” This is a very dangerous type of attack because the attack occurs first before it is even detected. In a sense, the zero-day attack is unpreventable since the virus or exploit occurs when there is no existing patch around to correct the attack. A zero-day attack takes a significant amount of time and money from well-trained cyber-criminals in order for the attack to be successful because it is a targeted attack that finds security vulnerabilities. One of the greatest zero-day exploit computer worms is known as Stuxnet.
Stuxnet is a computer worm that was able to disrupt Iranian nuclear enrichment in 2010. Stuxnet was the first instance of a cyber attack that was able to cause physical damages across international boundaries and was considered to be a new type of warfare with the capabilities of threatening even the strongest of military powers. According to Symantec, which is an American security corporation, Stuxnet is one of the most complex threats that were analyzed. The purpose of Stuxnet was to target industrial control systems or similar systems that is used in gas pipelines and power plants and to reprogram the industrial control systems. This zero-day exploit was discovered in July of 2010 but did exist at least one year prior to its discovery. Stuxnet was ultimately sabotage Iran’s nuclear systems.
One of the most effective ways to prevent a zero-day attack is to try and find any vulnerability before someone else does. Government agencies and public organizations are willing to hire and post rewards to individuals that are capable of finding exploits within a program or operating system. It takes skilled hackers to perform a zero-day exploit. They must have the time and resources to find a vulnerability that has no existing patch or fix for it. As mentioned before, one way to prevent a zero-day exploit is to find the vulnerability before the cybercriminals do. Organizations will hire ethical hackers to find vulnerabilities within their systems. One example is Google. Google has a reward system if somebody could find a exploit within Google Chrome. The company Google sponsors up to $1 million worth of rewards to those that can find exploits in Google Chrome. The United States government is willing to pay up to six figures for exclusive use of attacks to those who can create attacks in vulnerable systems.
Other countries such as China and Russia are willing to pay rewards to gain exclusive use of system attacks to people who come up with these attacks. A second policy to put in place to help prevent a zero-day exploit is to have both the private sector and public sector work together with limited restrictions when it comes to communication and information sharing. One of the main concerns about a zero-day exploit is an attack on a nations critical infrastructure. A critical infrastructure can be defined as “systems and assets, physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, nation public health and safety, or any combination of those matters” (Moteff, 2014, p. 2).
Critical infrastructures are important for a nation’s health, wealth, and security. One of the problems between private and public sectors is communication. The public sector at times is unwilling to share information with the private sector in fear of handing out classified information and the private sector is unwilling to share information with the public sector in fear that the public sector competitions can gain information that can be used against them. A proposed strategy for this action by the Commission was to have the private sector and the appropriate government agencies have greater cooperation and communication by “Setting a top level policy-making office in the White House” establishing a council what would include corporate executives, state and local government officials (Moteff, 2014, p. 3).
A third method which can also be seen as one of the top methods is the greatly expand research and development in technologies. This can be achieved by expanding education so that new technologies can be developed that would allow for greater detection of intrusions thus limiting the amount of zero-day exploits.
Military and Economic Advantages of Zero-day Exploit
A zero-day exploit is considered a very dangerous cyber attack since the attack targets holes in programs or operating systems before a software fix is available or even when developers are even aware a hole even exists in that program or operating system. Since the world today is heavily reliant on the Internet along with computer networks, a zero-day exploit on the military can be very devastating. If a zero-day attack occurred on a nations critical infrastructure such as water systems, transportation, and communications, it could leave that nation defenseless and vulnerable to attacks that can destroy a nation along with its citizens.
The zero-day attack known as Stuxnet was able to disrupt Iran’s nuclear enrichment and was the first ever recorded cyber attack to cause physical damages. Zero-day exploits can be seen as a new type of cyber attack that could ultimately be used for cyber warfare. Any zero-day attack on a nation’s critical infrastructure will cause mass havoc, which could even lead to human casualties.
Meta-Data collected and used by the Private sector and Public sector Important Security Issues
Met-Data collection is a major issue to all private and public sectors. The methods and approaches that are used to collection information is not 100% secure. There are always leaks and breakage points among any transmission of data that is traveling from one location to another. The way these vulnerability issue take place is by hackers being able to gain access to sensitive information and with this information their able to monitor and analyze the data that appears to be data that really in the consumer eyes is not a major concern nor precaution that needs any further action to take place. There are tools that can be used to successfully complete an attack of Meta-Data, and this tool works by gathering the data and by using a document that has been created. According to Vulnerabilities/Threats (2009) “For example, Word Document metadata can be viewed within the Properties menu option in Microsoft Word, or by enabling the viewing of previous edits with the “Track Changes” option.” It has been reported that Adobe Acrobat can detect and display the metadata attack in PDF form.
Some methods that are executed to collect data at a high level pace is called CeWL and MetaGooFil, which were designed to retrieved metadata information that may be available through the internet. The way these tools operate for instance CeWL works by developing a word list that uses brute-forcing for passwords involving websites. This tool can also extract any author, or email addresses that can be discovered from Microsoft Office files. CeWL is a file that can process files that may already be generated. MetaGooFil functions by using Google search engine to randomly lookup certain types of files. Once the downloading process has been conducted the metadata has already been place in HTML report the reveals the information that was retrieved. Another issue that involves metadata is that a great deal of organizations overlook this matter and it poses a lack of security and their defenses are vulnerable to serious attacks.
Since organizations fail to take the seriousness of metadata attacks, and how their connected with Spear-phishing and Social Engineering and the relationship between one another. Spear-phishing can focus and target email addresses of individuals who works on certain documents. Having a vulnerable version of the Microsoft Office suites can be targeted for an attacker to create a file and send it to a client with the intent to steal information. Social Engineering is already having knowledge of individual names and using them to conduct phone call schemes and appear to be more believable than what they really are.
Recommended Policy Controls
Policies that could be administered as far as how the information is obtain by public or private sectors. Having policies in place that are firm and strict that involves need to know bases. Access to certain information needs to be minimize if a particular individual has no purpose or reason for obtaining or viewing certain information. Also policies can be changed in the way information is handle to better ensure the safety of sensitive data. On the job training and security awareness session that can educate people of the severity of being victims to metadata attacks. Having Mechanisms in place would be a great approach to handling policy controls. There are mechanism that convey Metadata into Diffserv DSCP. According to Atarashi, R., Miyake, S., Baker, F., (2002) “The data and application need to be identified to the network, in order to gain service from the network appropriate to it.” The application gains access to the information that becomes available in its terms, including owner, format, and etc. In this situation the network is worried about the type of service the applications are looking for. In this situation having a translator already in place with API. QoS is highly desirable in the controlling metadata and internet applications.
According to metadata is going to important for not only structuring and discovery digital resource but also communication interaction. The lingo that is used in the industry of security is (threat, vulnerability, risk, control). Policy controls are implemented to reduce the possibilities of risk and one exactly happen. Having multiple security layers will be an ideal action to have in place for policy controls. According to Harris (1976) “The rule of thumb is the more sensitive the asset, the more layers of protection that must be put into place.” These layers should be merge and unifies as one but can be view as if you’re making a cake to put thing into perspective of how the multiple layers compensate one another. In this cake your have 1. Physical security 2. Virus scanners and Patch management 3. Rule-based access control and Account management 4. Secure architecture, Demilitarized zones (DMZ), Firewalls, 5. Virtual private networks (VPN) 6. Policies and procedures. These six functions will definitely help control, minimize, and monitor any potential threats that metadata may pose.
How/Why Human Factors Influence Policy
The way human factors can influence the effectiveness of the recommended policy controls is by enforcing them on a daily bases. Understanding the threat and its capabilities and how an attack can cripple an organization. These policy controls can be successful as long as the people who are standing behind them believe in them and also having a strong foundation just in case one layer of security collapse another one is in place as support. Routinely awareness training is another way to ensure the effectiveness of policy controls that are in place for unexpected occurrences.
There’s an old saying (account for variable changes) meaning that there should always be plans for the unknown. A good human factors that will play a major role is a person with good morals and organizations. Not having these traits pose a lack of effectiveness when it comes to handling policy control. Individuals who value integrity will be a great asset to have in regards to honoring the standards and policies that are in place. Vulnerability assessments for Mobile Devices in the BYOD environment Important Security Issues
In the 21st century cyber security is currently number one threat that will affect individuals all the way to corporate companies. Understanding the critical security issues dealing with vulnerability assessment of mobile devices in a BYOD environment. By bring BYOD into the work environment with increase access to web application cloud computing and software as a service (SaaS) offering, means the employees, business partners and customers are increasingly accessing information using web browsers on devices that are not managed by an organization opens the door to critical security and HIPPA violations if security issues aren’t addressed correctly. In an article from a network security magazine stated the “ Harris survey determined the 47% of employees use personal desktop computers to access or store company information, while 41% do this with personal laptops, 24% with smart phones and 10% with tablets.
However, with less than half of these devices being protected by basic security measures, some organizations may begin to worry that the security challenges associated with BYOD far outweigh the benefits.” (1) The challenges that come along with BYOD are the corporate Data being delivered to the devices not managed by the IT department, that have security applications for data leakage, Data theft and regulatory compliance which leaves the enterprise with fewer controls and visibility. Knowing that “key-loggers, malware and cyber–attacks have greatly increased the potential of unauthorized access to, and information theft from endpoints” the D in BYOD doesn’t stop at smart phones. The SANS institute has explained that handheld devices combined with laptops and removable storage (e.g. USB keys) introduce specific threats to corporate or an organization’s assets and that a security policy can establish rules for the proper use of handheld devices within intranets (2)
Employees can access information from home from their personal computers and tablets which can be infected with malware or key-loggers which gives people access to your companies at work for future cyber-attacks. Corporate companies can start losing visibility into data access when “BYOD re bypassing inbound filters normally applied to standard corporate devices. They’re vulnerable to malware-a fast growing risk, particularly in regards to android devices”.(3) The security issues with bringing android devices into the BYOD other than Apple device is the Google Play store and fragmentation of devices an OS version. Google Play (formerly called the Android Market) has a higher percentage of apps that contain malware, or social engineering to connect to malware, than any other app store by another magnitude. (4) The store is not policed well leaving these factors continually creating friction or resistances towards greater adoption of Android devices in the enterprise environment.
Recommended Policy Controls
Understanding the changing environment with BYOD entering into the enterprise area, there should be some checks and balances with recommended policy controls. To protect users in the enterprise some good policies are needed to be implemented would be requiring all devices to be encrypted to protect intellectual property, and to “restrict the downloading of specific applications known to contain malware, and insufficient security protocols or other vulnerabilities. Combining some of these with a robust VPN solution, that any enterprises and their employees can enjoy the convenience, productivity and cost–savings of BYOD without placing critical data at risk”(5).
Standing on the organization security policy should be categorized as followed starting with general policies– that and for security policies for enterprise-level use on mobile devices that restrict access to the hardware software, and management wireless network interfaces to text policy violations when they occur. Data communication and storage are highly recommended to be encrypted data communication and data storage be properly wiping the device before reissuing. Another policy control is dealing with user and devices, authentication before allowing access to the organizations resources.
Applications need restriction from installing and updating application that is used to synchronization services, then verifying the digital signature on applications. In order for a BYOD program to work in an enterprises environment is to start off with a mobile device management (MDM) to the intent I to fully optimize functionally and security of mobile equipment in the enterprises environment to simultaneously securing the corporate network.
How/Why Human Factors Influence Policy
In order for BYOD programs to work correctly the human factors need to be taken into perspective. When an enterprise owns their devices they can dictate the use and configuration. Having employees bring their own BYOD into the enterprise their device is configured to their own needs and priorities that are wildly different from the enterprise standard configuration. As a network grows and technology enhances individuals rely on the BYOD the network access policy will be at odds with their employees at accessing information, that they’ll look for ways to get around the system which in turns makes bad productivity. If we keep in mind that with growing consumerization of IT and rapid pace of new and developing technologies, many employees of companies are nearly as technically savvy as their IT department.
The lowly employee of finding tools that enhances their job better than what the company issues, but uses the alternative programs under the radar. A big look at the human resource (HR) is having the concern of having proper legal framework in place and constructed to take into concentration on occasions when staff leave the company and take their own devices with them could have confidential information that holds the companies intellectual property that another company can use or a hacker take advantage of for future cyber attack.
As time goes on the human factors does have a great influences in policies that are created by organizations to deal with international cyber-security issues. The four cyber security issues that were presented in the paper from zero-day exploits, meta-data collected and used by private and public escorts, vulnerability assessments for mobile devices in the BYOD environment, and threats to copy right and ownership of intellectual property was identify that each topic was influence by human factors that developed rules and policies to decrease the rises of cyber security incidents that accuser around the world. As we consume more electronic devices their will be more adjustment to topics that were presented, with new security issues which will bring new recommended control policies to balance the international cyber security threat at hand.
1. Bill Morrow, BYOD security challenges: control and protect your most sensitive data, Network Security, Volume 2012, Issue 12, December 2012, Pages 5-8, ISSN 1353-4858, http://dx.doi.org/10.1016/S1353-4858(12)70111-3. 2. SANS Institute (2008) Security Policy for the use of handheld devices in corporate environments. Retrieved from http://www.sans.org/reading-room/whitepapers/pda/security-policy-handheld-devices-corporate-environments-32823?show=security-policy-handheld-devices-corporate-environments-32823&cat=pda 3. Pacific, Lisa. “.” BYOD security strategies: Balancing BYOD risks and rewards. N.p., 28 Jan. 2013. Web. 24 Apr. 2014. <http://searchsecurity.techtarget.com/feature/BYOD-security-strategies-Balancing-BYOD-risks-and-rewards>. 4. ”A clear-eyed guide to Android’s actual security risks.” InfoWorld. N.p., n.d. Web. 27 Apr. 2014. <http://www.infoworld.com/d/mobile-technology/clear-eyed-guide-androids-actual-security-risks-232034>. 5. Graf, O. P. (2013, April 12). The Physical Security of Cyber Security. Retrieved from http://vpnhaus.ncp-e.com/2013/04/12/vpns-and-common-sense-policies-make-byod-safer/ 6. Growth of Internet Piracy. Congressional Digest, 90(9), 258-288. 7. History of the Internet Piracy Debate. (2011). Congressional Digest, 90(9), 258-288. 8. NILL, A., SCHIBROWSKY, J., & PELTIER, J. W. (2010). Factors That Influence Software Piracy: A View from Germany.Communications Of The ACM, 53(6), 131-134. doi:10.1145/1743546.1743581 8. OSS-Piracy. (2009). Alleviating piracy through open source strategy: An exploratory study of business software ﬁrms in China. Retrieved 4/18/2014 from http://infojustice.org/download/gcongress/open_business_models/yang%20article.pdf. 9. Rideout, B. (2011). Printing the Impossible Triangle: The Copyright Implications of Three-Dimensional Printing, Journal of Business, Entrepreneurship & Law. available at http://digitalcommons.pepperdine.edu/jbel/vol5/iss1/610. Thompson, C (2012) 3-D printing’s forthcoming legal morass. Wired.co.uk. Obtained from: http://www.wired.co.uk/news/archive/2012-05/31/3-D-printing-copyright11.
Traphagan, M., & Griffith, A. (1998). Software Piracy and Global Competitiveness: Report on Global Software Piracy. International Review Of Law, Computers & Technology,12(3), 431-451. doi:10.1080/13600869855298 12. Vulnerabilities/Threats (2009). Tech Insight: How Attackers Use Your Metadata Against You. Retrieved from: http://www.darkreading.com/vulnerabilities—threats/tech-insight-how-attackers-use-your-metadata-against-you/d/d-id/1130395? 13. Atarashi, R., Miyake, S., Baker, F., (2002). Policy Control Nework Architecture using Metadata. Pro. Int. Conf. on Dublin Core and Metadata for e-Communities. Retreived from: http://www.bncf.net/dc2002/program/ft/poster1.pdf14. Harris, S., (1976). CISSP exam guide. ISBN 978-0-07-178174-9